Here’s How Researchers Exploit Virtual Reality Application

Security researchers released a video yesterday showing how flaws that most programmers often underestimate could allow hackers to evade privacy and security of your virtual reality experience.

According to the researchers—Ibrahim Baggili, Peter Casey and Martin Vondráček—the flaws, are found in a virtual reality (VR) application called Bigscreen and the Unity game development platform.

Bigscreen is a popular virtual reality application which describes itself as a “virtual living room,” enabling friends to hang out together in virtual world, watch movies in a virtual cinema, chat in the lobby and more.

Things Hackers Can Do

The vulnerabilities in the app allowed researchers to hijack web infrastructure and perform multiple attack through a custom-designed command-and-control server, including:

discover private rooms,

join any VR room,

eavesdrop on users while remaining invisible,

view VR users’ computer screens in real-time,

stealthily receive victim’s screen sharing and microphone audio,

send messages on the user’s behalf,

remove/ban users from a room

setup a worm that could spread across the Bigscreen community,

and many more.

Besides these flaws, a different flaw in the Unity’s API allowed them to take control over users’ computers by downloading and installing malware without requiring any interaction.

The input boxes were not sanitized properly, hackers could have used the flaw to execute malicious JavaScript on users connecting to the Bigscreen lobby or rooms.

“The payload script will be executed upon the browser-based player entering a room affecting all members of the room. This attack vector allows for the modification/invocation of any variable/function within the scope of the Window,” researchers told Hack Hex.

“In summary, the ability to execute JavaScript on the victim’s machine allows for many other attacks such as phishing pop-ups, forged messages, and forced desktop sharing.”

“We observed a lack of authentication when handling private room joining and communications with the Bigscreen signaling server. As a result, several potential vulnerabilities arise, to include denial of service, manipulation of public rooms, brute force attacks, and server resource exhaustion.”

Attackers can also inject malicious JavaScript in Unity’s API to secretly download malware execute it on a target system.

“The function Unity.openLink() was found to launch web links in the default 6 browsers. An XSS attack containing an HTTP, FTP, or SMB link could cause arbitrary files to be fetched and downloaded,” researchers told Hack Hex.

“We expect that most of the applications using affected Unity API may be vulnerable.”The team discovered the vulnerabilities while testing the security of VR systems through its National Science Foundation-funded project.

Man-in-the-Room (MITR)

Man-in-the-Room is a attack where a hacker secretly joins a room while remaining invisible to other users.

“They can’t see you, they can’t hear you, but the hacker can hear and see them, like an invisible Peeping Tom. A different layer of privacy has been invaded,” Ibrahim Baggili, founder and co-director of the Cyber Forensics Research and Education Group, said.

Bigscreen uses Libraries (DLLs) without checking, which allowed the researchers to modify the source code of selected libraries and change its behaviour, letting them hide their presence from UI using XSS payloads.

“Our proof-of-concept WebRTC application was able to connect to legitimate Bigscreen application. This lead to complete control over one end of audio/video/microphone/data streams. Our application was invisible in the VR room because it did not send any data to other peers,” the researchers said.

Unity acknowledged the vulnerabilities by merely adding a note to its documentation stating that its platform “can be used to open more than just web pages, so it has important security implication you must be aware of.”